[task] Fix dangerous workflow_run trigger in smoke-detector #3123
Description
Objective
Replace the dangerous workflow_run trigger in smoke-detector.lock.yml with a secure workflow_call pattern.
Context
The current smoke-detector workflow uses workflow_run trigger which is fundamentally insecure. It runs in the context of the base branch with full repository permissions, even when triggered by code from forks or untrusted branches. This creates a critical security vulnerability (HIGH severity) that allows potential:
- Secret extraction
- Repository compromise
- Malicious code injection
- CI/CD pipeline tampering
Related to discussion #3120 - Static Analysis Report finding #1.
Approach
- Convert smoke-detector.yml to use
workflow_calltrigger with explicit inputs - Update all smoke test workflows (smoke-claude.yml, smoke-codex.yml, smoke-copilot.yml) to call the detector using the new pattern
- Add explicit minimal permissions (
contents: read,issues: write) - Replace direct workflow_run context with safe inputs
Files to Modify
.github/workflows/smoke-detector.md- Convert to workflow_call pattern with inputs.github/workflows/smoke-claude.md- Add investigate-on-failure job that calls smoke-detector.github/workflows/smoke-codex.md- Add investigate-on-failure job that calls smoke-detector.github/workflows/smoke-copilot.md- Add investigate-on-failure job that calls smoke-detector- Recompile all affected workflows with
gh aw compile
Acceptance Criteria
- smoke-detector uses
workflow_calltrigger instead ofworkflow_run - All smoke test workflows call smoke-detector with
uses:pattern - Workflow inputs include: workflow_name, run_id, conclusion
- Permissions are explicitly set to minimal required (
contents: read,issues: write) - Test with a fork PR to verify no privilege escalation
- Zizmor scan shows no dangerous-triggers findings
- All workflows compile successfully
Related to 🔍 Static Analysis Report - November 4, 2025 #3120
AI generated by Plan Command for discussion #3120